3.4.5 Controlling Access to Active Directory Objects
Windows Server 2003 uses an object-based security model, that is similar to the one used to implement
NTFS security, to implement access control to all Active Directory objects. Each Active Directory object
has a security descriptor that defines the permissions to the object and the type of access that is allowed.
Windows Server 2003 uses these security descriptors to control access to the Active Directory objects. An
administrator or the object owner must assign permissions to the object before users can gain access to the
object. Windows Server 2003 stores a list of these assigned user access permissions for every Active
Directory object in the access control list (ACL). This allows you to assign permissions or administrative
privileges to a specific user or group for an OU, a hierarchy of OUs, or a single object, without assigning
administrative permissions for controlling other Active Directory objects.